Skip to content

S1047 Mori

Mori is a backdoor that has been used by MuddyWater since at least January 2022.21

Item Value
ID S1047
Associated Names
Type MALWARE
Version 1.0
Created 30 September 2022
Last Modified 17 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Mori can communicate using HTTP over IPv4 or IPv6 depending on a flag set.2
enterprise T1071.004 DNS Mori can use DNS tunneling to communicate with C2.21
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Mori can use Base64 encoded JSON libraries used in C2.2
enterprise T1001 Data Obfuscation -
enterprise T1001.001 Junk Data Mori has obfuscated the FML.dll with 200MB of junk data.2
enterprise T1140 Deobfuscate/Decode Files or Information Mori can resolve networking APIs from strings that are ADD-encrypted.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Mori can delete its DLL file and related files by Registry value.2
enterprise T1112 Modify Registry Mori can write data to HKLM\Software\NFC\IPA and HKLM\Software\NFC\ and delete Registry values.21
enterprise T1012 Query Registry Mori can read data from the Registry including from HKLM\Software\NFC\IPA and
HKLM\Software\NFC\.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 Mori can use regsvr32.exe for DLL execution.2

Groups That Use This Software

ID Name References
G0069 MuddyWater 2

References

  1. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022. 

  2. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.